Systems and methods for location-based automated authentication

ABSTRACT

Systems and methods for location-based automated authentication are disclosed. A system comprises a mobile device, a sensor and a backend platform. The sensor and the backend platform are in network communication. The mobile device is operable to continuously transmit Bluetooth Low Energy (BLE) signals comprising encrypted transitory identifiers. The sensor is operable to receive a BLE signal from the mobile device when the mobile device is within a predetermined range, and communicate over a network connection the encrypted transitory identifier comprised in the BLE signal to the backend platform. The backend platform is operable to extract a unique identifier and a changing encrypted identifier from the received encrypted transitory identifier, generate a changing encrypted identifier, and validate a user identification by comparing the generated changing encrypted identifier and the extracted changing encrypted identifier.

CROSS REFERENCES TO RELATED APPLICATIONS

This application relates to and claims priority from the followingapplications: This application is a continuation of U.S. applicationSer. No. 15/921,197, filed Mar. 14, 2018, which is acontinuation-in-part of U.S. application Ser. No. 15/412,321, filed Jan.23, 2017. U.S. application Ser. No. 15/921,197 is also a continuation ofInternational Application No. PCT/US18/12947, filed Jan. 9, 2018, whichclaims priority to and is a continuation-in-part of U.S. applicationSer. No. 15/412,321, filed Jan. 23, 2017, now U.S. Pat. No. 9,922,473.Each of these applications is incorporated herein by reference in itsentirety.

BACKGROUND OF THE INVENTION 1. Field of the Invention

The invention relates to location-based automated authentication.

2. Description of the Prior Art

Personal mobile devices, especially smart phones, become so popular thatalmost everyone has one with them wherever they are. Moderncommunication technologies and various mobile applications have equippedsmart phones with a variety of functions besides basic calling andtexting. As one example, mobile devices are used for accessauthentication and validation.

By way of example the following are relevant prior art documentsrelating to access authentication and validation:

U.S. Patent Publication No. 20100201536 for “System and method foraccessing a structure using a mobile device” by inventor WilliamBenjamin Robertson et al., filed Feb. 10, 2009, describes a wirelessdevice access system employs short-range wireless communication todetect the proximity of a user device to a structure and a wide-areadata network to communicate an unlock request. The access system thenauthenticates the unlock request and the proximity of the user deviceprior to transmitting an unlock command to the structure. Additionally,the wireless device may require the proximity of a user token prior tooperation and/or the access system may include an override within thestructure blocking any unlock command. Besides providing access to thestructure, the system may perform other functions, such as monitoringroom occupancy, switching power on and off, and the like.

U.S. Patent Publication No. 20130257589 for “Access control using anelectronic lock employing short range communication with mobile device”by inventor Mohammad Mohiuddin et al., filed Mar. 1, 2013, describessystems and methods for obtaining access to an area or an object securedby an electronic locking device. The methods involve: obtaining, by aMobile Communication Device (“MCD”), a unique identifier associated withthe Electronic Locking Device (“ELD”) via a first Short RangeCommunication (“SRC”); communicating the unique identifier from MCD to aRemote Communication Device (“RCD”) via a network connection; receivingat least one symbol associated with the unique identifier thatfacilitates unlocking of ELD from RCD via the network connection; andcausing ELD to be unlocked by communicating a key from MCD to ELD via asecond SRC.

U.S. Patent Publication No. 20140220883 for “Presence Detection UsingBluetooth and Hybrid-Mode Transmitters” by inventor Aaron T. Emigh etal., filed Feb. 4, 2014, describes presence detection using Bluetoothand hybrid-mode transmitters. In some embodiments, one or moretransmitters are configured to transmit an iBeacon broadcast and aproprietary Bluetooth Low Energy (BTLE) broadcast, wherein at least oneof the transmitted broadcasts includes an identifier that specifies avenue. The broadcasts are captured by a handset and decoded to inferpresence of the handset at the venue.

U.S. Patent Publication No. 20140375421 for “Systems and methods forenabling access control via mobile devices” by inventor John DavidMorrison et al., filed Jun. 18, 2014, describes systems and methods forenabling access control via mobile devices. Embodiments of the inventionhave been particularly developed for allowing a user to gain access to acontrolled functionality (for example the unlocking of a door) using asmartphone or the like. These leverage short-range wirelesscommunications, such as Bluetooth Low Energy or Near FieldCommunications.

U.S. Patent Publication No. 20160055693 for “Validation in secureshort-distance-based communication and enforcement system according tovisual objects” by inventor Avishek Somani et al., filed Jun. 18, 2015,describes a secure short-distance-based communication and enforcementsystem validates users in a validation and enforcement area and cancheck if users in the validation and enforcement area have beenvalidated. A visual object can be displayed on an enforcement computerand a mobile device of a user in the in the validation and enforcementarea to determine if a user is validated. The visual object may beperiodically changed.

SUMMARY OF THE INVENTION

Systems and methods for location-based automated authentication aredisclosed. A system comprises a mobile device, a sensor and a backendplatform. The sensor and the backend platform are in networkcommunication. The mobile device is operable to continuously transmitBluetooth Low Energy (BLE) signals comprising encrypted transitoryidentifiers. The sensor is operable to receive a BLE signal from themobile device when the mobile device is within a predetermined range,and transmit an encrypted transitory identifier comprised in the BLEsignal to the backend platform. The backend platform is operable toextract a unique identifier and a changing encrypted identifier from thereceived encrypted transitory identifier, generate a changing encryptedidentifier, and validate a user identification by comparing thegenerated changing encrypted identifier and the extracted encryptedtransitory identifier. An associated mobile application is installed onthe mobile device. The associated mobile application is activated andsend user identification parameters to the backend platform. The mobileapplication and the backend platform use the same algorithm to generatechanging encrypted identifiers.

These and other aspects of the present invention will become apparent tothose skilled in the art after a reading of the following description ofthe preferred embodiment when considered with the drawings, as theysupport the claimed invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of BLE transmission and range in one embodiment ofthe present invention.

FIG. 2 is a flowchart of the automated authentication process in oneembodiment of the present invention.

FIG. 3 is a diagram of architecture data flow for the authenticationprocess in one embodiment of the present invention.

FIG. 4 is an illustration of a toll lane use case in one embodiment ofthe present invention.

DETAILED DESCRIPTION

The present invention provides systems and methods for identifying andauthenticating mobile devices in designated locations. A mobile devicedownloads and activates a mobile application (“app”), and providesidentification information to be stored in the BAS. The mobile devicethen transmits Bluetooth Low Energy (BLE) signals containing encryptedidentification information. A sensor receives the BLE signals when themobile device is within range and communicates to a Backend AccountSystem (BAS). The BAS validates and authenticates the useridentification, corresponding functions and actions are executed, and aresponse is sent to the sensor. The mobile device receives the responsefrom the backend system at a later point regarding the execution of thefunctions and/or actions. Additionally, the mobile device user can queryfor the history of transactions at any time.

The present invention is a Location-Based Automated AuthenticationSystem (LBAAS). The LBAAS involves a secure platform for identifyingspecific users in designated geographic locations. In the presentinvention, an Encrypted Transitory Identifier (ETID) is transmitted viaa BLE signal from a mobile device through a BLE sensor and into the BASsystem; and the ETID is resolved at the BAS system into a UniqueIdentifier (UID) and Changing Encrypted Identifier (CEID) that are usedto recognize and authenticate a user.

The ETID is a dynamic and temporary transmission from a user's mobiledevice. The Back-end Account System (BAS) uses a function in the form off_(x)(ETID)=UID+CEID to decode and translate a valid ETID into a staticUID associated with a user and a CEID.

The entire LBAAS consists of three major components: a mobileapplication that broadcasts using BLE, a sensor, and a BAS. Thesecomponents and their functions are described below in Table 1.

TABLE 1 System Component Descriptions & Functions Component CompositionFunction Mobile A software program Transmits ETID via BLE whenApplication running on a mobile activated by user device A sensor Acomputer with an Receives the BLE signals, decodes attached antennacapable EITD, and communicates with the BAS of receiving BLE signals,strategically placed and calibrated based on system functions andrequirements Back end A remote computer and Stores user informationneeded by the Account System data store system to perform its function;(BAS) generates and stores a UID; resolves and validates the CEID frommobile device

In one embodiment, the sensor consists of a Linux based computer with anattached 2.4 GHz high-gain directional antenna. The sensor is in a readystate to collect input from an application running on a mobile devicewithin its immediate vicinity. The mobile application is designed fordevices that have Bluetooth 4.0, capable of emitting BLE signals. TheBAS runs on a remote set of Linux based computers with sufficientcapacity to handle many concurrent lookups from multiple sensors. In oneembodiment, the BAS is configured for a specific application, such as atoll gate scenario, on a platform tailored to system requirements. Thiscan be one or more computers or on a cloud-based platform, which is ableto host many different BAS systems for different applications.

All mobile devices are first registered in the BAS in order to identifyand authenticate users. A user downloads and activates a mobileapplication to a mobile device, and provides identification informationto be stored in the BAS. This identification information is used tocreate a UID as an index for the user. A Changing Time Interval (CTI)for the system is also saved to a user's account along with otheraccount parameters and data to act as a seed in the creation of CEIDs onboth the mobile device and the BAS.

FIG. 1 is a diagram of BLE transmission and range in one embodiment ofthe present invention. During a normal operation, the mobile applicationgenerates and transmits an ETID via BLE, and a sensor recognizes andreads BLE signals along with their corresponding signal strengths. Themobile device is within the detection rage of the sensor when a signalstrength threshold is met. The sensor receives the emitted BLE signal,decodes the ETID, and passes it to the BAS for confirmation of a validuser. The BAS extracts a UID and CEID from the ETID, validate the user'sidentity, returns a response depending on the application to the sensor,and then performs other specific system functions and operations, e.g.,billing, e-mail, text notifications to the originating mobile device, orgenerating system logs. If it is a valid user, a corresponding systemfunction (e.g., raising a gate or activating a light) is executed andthe response provides positive user feedback. If it is not a valid user,the response provides negative user feedback. FIG. 2 illustrates theAutomated Authentication Process in one embodiment of the presentinvention. Feedback for unauthorized users on their mobile devices islimited based on whether they have active accounts in the BAS.

FIG. 3 illustrates a data flow architecture for user authentication.

When a user first downloads and opens the mobile application, theyprovide information to populate the BAS. There are a few other keyparameters automatically collected or generated including a ChangingTime Interval (CTI), an Original Account Timestamp (OAT), a Unique ID(UID), and Unique Encryption Key. These parameters are stored in boththe BAS and the non-volatile memory of the mobile device; and arerequired to identify and authorize the particular mobile device in realtime.

Once all the necessary parameters are created and stored, theauthentication process begins when a user turns on the application andBLE signals are emitted from the mobile device. Preferably, a userverification step, for example, a pin, a fingerprint, or a voicepassword, is needed for turning on the mobile application for securitypurposes. For example, an application may require the use ofverification for a limited time to prevent unauthorized use of themobile device. The content of the BLE signal is generated from a seriesof proprietary steps that effectively provide a unique secure algorithmthat runs in the background of the application. The OAT, CTI, and theCurrent Timestamp (CT) is used to calculate a value for userauthentication. This value is then encrypted with an Advanced EncryptionStandard (AES) algorithm using the Unique Encryption Key. The result isreduced into a usable size and known as the CEID. The CEID is thencombined with the UID to create the ETID that is packaged andtransmitted in a unique BLE signal. The present invention providessecure user identification transmission over BLE signals, because theCEIDs in the BLE signals change over time based on the algorithm used tocreate the CEIDs. This way, the BLE signals cannot be emulated, copiedor replayed.

A calibrated BLE sensor reads BLE signals that are within range andtranslates the BLE signals from the mobile device into the ETID. Thesensor then connects to the BAS to transfer the ETID.

The BAS extracts the UID from the ETID. The UID is used to look up thespecific user parameters. The BAS performs the same algorithm as that ofthe mobile device, and generates a CEID using the CTI, the OAT, the CT,and the Unique Encryption Key. The BAS then compares the extracted CEID(from the ETID sent by the sensor) with the generated CEID to validatethe user.

If the CEIDs match, the functions and/or actions of the system arecarried out (e.g., flash an indicator or open a gate, and charging anaccount). If the values do not match, no further functions or actionsare necessary. In either case, the BAS sends the successful or failedresponse back to the sensor so it may complete the transaction at thepoint of BLE reception.

The system in the present invention transforms an insecure open-sourceBLE format into a secure proprietary solution for automated transactionsby the use of encryption, synchronous clocks, and highly sophisticatedalgorithms. With the unique security solution, the system is able toidentify and authenticate users while preventing replay attacks. It isvirtually impossible for someone to eavesdrop on someone else's BLEsignal and retransmit the same signal.

Many mobile applications use BLE technology to scan for signals thattrigger some other action. Typically, the mobile device is used as ascanner and not as a broadcaster. However, the present inventionreverses the direction of the data flow. Instead of receiving signals,the mobile device in the present invention is broadcasting signals inthe background of the phone with virtually no battery consumption. Byreversing the data direction and using BLE, the architecture in thepresent invention has a relatively low impact on mobile device batterylevels. BLE can be active for days without any substantial drain onbattery resources. Mobile devices, for example mobile devices equippedwith Bluetooth 4.0, Bluetooth 5.0 and later Bluetooth versions, areoperable to transmit small amounts of data periodically with very lowpower consumption using BLE functionality. In one embodiment of thepresent invention, BLE mobile devices broadcast ETIDs via BLE signals onthe 2.4 GHZ bandwidth.

The BLE functionality works in two different modes, namely connectedmode and advertising mode, which are utilized for different purposes.BLE mobile devices in the present invention preferably never operate inconnected mode, and therefore never establish a communication connectionwith any other BLE devices. Never establishing a communicationconnection with any other BLE devices significantly reduces batterypower consumption of the mobile device. In the present invention, BLEmobile devices transmit ETIDs in advertising mode. In one embodiment, auser is enabled to turn a BLE mobile device to a driving mode or standbymode so as to turn on or off the BLE advertising mode for ETIDbroadcasting. For example, a user gets into his/her car and turnshis/her BLE mobile device to driving mode, and his/her mobile devicestarts emitting BLE signals including ETIDs. Once the user reacheshis/her destination, he/she turns his/her BLE mobile device to standbymode, preferably by exiting driving mode, and the BLE mobile devicestops transmitting BLE signals. In another embodiment, BLE mobiledevices are operable to detect if the BLE mobile devices are in motionor stationary based on location services and related technologies. Whena BLE mobile device detects itself in motion, the advertising mode istriggered and the mobile device starts transmitting BLE signalsincluding ETIDs. In one embodiment, a threshold for motion is a certainspeed, such as 10 miles per hour (mph), 15 mph, 20 mph, 25 mph, 30 mph,35 mph, 40 mph, 45 mph, 50 mph, 55 mph, 60 mph, or 65 mph. Advertisingmode is activated upon the threshold for motion being reached, andremains activated while the speed is above the defined threshold.Additionally, advertising mode remains activated for a period of timefollowing a drop in the measured speed below the defined threshold, suchas 5 minutes, 10 minutes, 15 minutes, 30 minutes, 1 hour, or 2 hoursafter dropping below the defined threshold. This advantageously accountsfor variations in traffic, such as traffic jams. When the BLE mobiledevice detects itself stationary for a predetermined time period, itstops transmitting BLE signals. In another alternative, the mobiledevice is operable to recognize that it is within a predeterminedproximity of a vehicle or within the vehicle by receiving a BLE signalfrom the vehicle or any other method known in the art for a mobiledevice to recognize a presence of a vehicle and/or for a vehicle torecognize a presence of a mobile device, and the advertising mode istriggered so that the mobile device starts transmitting BLE signalsincluding ETIDs.

The BLE functionality typically has four configurable frequency settingsthat affect ETID transmission rates. The actual frequency changes at theoperating system level due to CPU activity of a device. If the CPU of aBLE mobile device is busy at the time the BLE mobile device is set indriving mode, the BLE mobile device transmits BLE signals slightly lessfrequently than when the CPU is idle. In one embodiment, the presentinvention utilizes the highest frequency setting for BLE transmissionsto maintain reliability. The higher the frequency, the more BLE signalsa BLE sensor collects while a BLE mobile device is within a certaindistance of the BLE sensor. A high frequency setting is particularlyimportant for BLE mobile devices in vehicles traveling at high speeds.For example, a vehicle traveling at 100 mph is only within the scanningrange of a BLE sensor for a very brief time period. Higher BLEtransmission frequency enables the BLE sensor to pick up more BLEsignals as the vehicle travels at high speeds past the BLE sensor. Inone embodiment, the BLE signal transmission frequency increases with thespeed of a vehicle, with the speed being determined via a GlobalPositioning System (GPS) or any other technology for determining speedin real-time or near real-time. A lower BLE transmission frequencypotentially causes a BLE sensor to miss BLE signals from a BLE mobiledevice as it passes at a high speed. Higher BLE transmission frequencyprovides lower latency and better reliability but with more batteryconsumption. In one embodiment, the BLE transmission frequency is set at10 Hz, and the ETID transmission rate is about 10 Hz or 10 ETIDs persecond. Frequency deviations are about 1-3 Hz due to CPU activities of aBLE mobile device when BLE signals transmitted from the BLE mobiledevice are received by a BLE sensor. Thus, in one example, a BLEtransmission frequency is between about 7 Hz and about 13 Hz, oralternatively between about 9 Hz and about 11 Hz.

In the present invention, there is no initiation by the mobile devicefor communication with a computer system in order to exchange messagesfor authentication, and there is no connection needed between the mobiledevice and the BAS to complete a transaction. The mobile device merelyemits BLE signals comprising ETIDs generated from CEIDs. Once the sensorreceives the BLE signals, the authentication process is done between thesensor and the BAS.

The unique broadcasting feature also enables the application to performwith very little network connection. A network is only needed duringregistration to connect the mobile device to the BAS. Once thisinformation is recorded, the Automated Authentication Process isperformed without network connection between the mobile device and theBAS. The receiving device is a stationary sensor which can be attachedto a constant power source and handle all networking requirements. Inother words, the mobile device merely emits BLE signals and theidentification and authentication are performed on the sensor and theBAS.

The mobile device application and the BAS are highly customizable. Thearea within which a sensor will detect a BLE signal and the signalstrength required to trigger the user authentication can be adjusted tomeet requirements of different applications and/or tasks. Sensors canalso be placed in a variety of different locations. Possibleapplications include: tolls, gates, entrances, garages, boat lifts, skilifts, etc.

The present invention is applicable to places where Radio FrequencyIdentification (RFID) or Near Field Communication (NFC) technologies areused for identification authentication and validation. The encrypted BLEtransmission by mobile devices in the present invention provides acomparably secure and more convenient mechanism for user identification.The use of both one-way identification and processing application on asingle user device makes this a more convenient platform for uservalidation.

Use Case 1: Toll Collection

In one embodiment, the use of BLE enables a secure low energy solutionfor toll collection systems as shown in FIG. 4.

During a preliminary phase, BAS data requirements are defined and thenthe BAS is set up with a network connection; sensors are installed,calibrated, and connected to given toll locations; and users download anapp to their mobile devices and enter all required account information.Changing Time Interval, Original Timestamp, UID, Unique Encryption Keyare automatically generated and saved to the user system account. Usersprovide credit card or bank information, billing addresses, validvehicle plate numbers, and other personal information.

During an execution phase, a user gets in the car and turns on theapplication on his mobile device. The application generates a CEID usinga secure algorithm and combines the CEID with the user's UID to createan ETID. The ETID is packaged and broadcast via a BLE signal. The BLEsignal is continuous, but the ETID being broadcast changes based on thedefined Changing Time Interval. As the car approaches the toll booth,the toll booth sensor starts to receive the BLE transmission. The mobiledevice is within range when a predetermined signal strength threshold ismet. The toll booth sensor reads the BLE signal and translates it intothe ETID. The toll booth sensor connects to the BAS and sends the ETID.The BAS receives the ETID and separates it into the UID and CEID. TheBAS looks up the user system account using the UID separated from thereceived ETID. The parameters saved to the user system account withinthe BAS, including Changing Time Interval, Original Timestamp, UID, andUnique Encryption Key, are used to synthesize a CEID with the samealgorithm used by the mobile device application. The BAS compares thesynthesized CEID to the one received from the mobile device (via BLE andthe toll booth sensor). If the CEIDs match, a license plate photo istaken for secondary verification; the user credit card or bank accountis charged; a log or invoice is generated and sent to the user's mobileapplications; and the light on the toll booth turns green. If the CEIDsdo not match, a license plate photo could be taken for secondaryverification or ticketing. For further integration, if the plate photois verified and the account is charged, a log is generated and sent tothe application to notify the user that the account was successfullycharged, and the light on the toll booth turns green. If the plate photois not verified, the light on the toll booth turns red.

Use Case 2: Gated Entrance Admission

In one embodiment, the present invention is used for admitting to gatedfacilities, for example, a gated neighborhood, a garage, an entrance toa factory or other facilities, etc. A BAS is set up with specific datarequirements for gated entrance admission. A gate sensor at the gatedentrance is installed, calibrated and connected to the BAS in networkcommunication. Authorized users download an app to their mobile devicesand enter all required information. For example, authorized licenseplate numbers, authorized user names, work identifications, phonenumbers, and other personal information for people who are authorized toenter a gated facility. Changing Time Interval, Original Timestamp, UID,Unique Encryption Key are automatically generated and saved tocorresponding user system accounts.

A user turns on the app on his mobile device. The app generates a CEIDusing a secure algorithm and combines the CEID with the user's UID togenerate an ETID. The ETID is packaged and broadcast via a BLE signal.The BLE signal is continuous, but the ETID changes based on the definedChanging Time Interval. As the user approaches the gated entrance, thegate sensor starts to receive the BLE transmission. The mobile device iswithin range when a predetermined signal strength threshold is met. Thegate sensor reads the BLE signal and translates it into the ETID. Thegate sensor then sends the ETID to the BAS. The BAS receives the ETIDand separates it into the UID and CEID. The BAS looks up the user systemaccount using the UID separated from the received ETID. The parameterssaved to the user system account within the BAS, including Changing TimeInterval, Original Timestamp, UID, and Unique Encryption Key, are usedto synthesize a CEID with the same algorithm used by the mobile deviceapplication. The BAS compares the synthesized CEID to the one receivedfrom the mobile device (via BLE and the gate sensor). If the CEIDsmatch, a gate light turns green and the gate is open for the userautomatically; and the user may receive a notification on the mobiledevice regarding the admission at a later time. If the CEIDs do notmatch, the gate light turns red and the gate keeps closed, and the userreceives a notification for denial.

Use Case 3: Employee Access

In one embodiment, the present invention is used for employee accessauthentication. For example, in a large company campus, there aredifferent departments, usually employees are only authorized to enterthe department they work at and public space, only certain employeessuch as high-level management personnel can access to multipledepartments. For example, only laboratory staff and executives areallowed to enter a certain laboratory. A BAS is set up with specificdata requirements for the laboratory entrance. A sensor at the entranceis installed, calibrated and connected to the BAS in networkcommunication. Authorized employees download a mobile app to theirmobile devices and enter all required information. For example, workidentifications, employee names, phone numbers, and other employmentrelated data for employees who are authorized to enter the laboratory.Changing Time Interval, Original Timestamp, UID, Unique Encryption Keyare automatically generated and saved to the corresponding employeesystem accounts on both the mobile app and the BAS.

An employee turns on the app on his mobile device. At this point, theapplication may request a fingerprint scan to verify user identity. Thefingerprint can be sent to the BAS to verify the user identity for adefined short interval. This activity will essentially authenticate theholder of the device as the individual authorized for entrance. The appgenerates a CEID using a secure algorithm and combines the CEID with theemployee's UID to generate an ETID. The ETID is packaged and broadcastvia a BLE signal. The BLE signal is continuous, but the ETID changesbased on the defined Changing Time Interval. As the employee approachesthe entrance to the laboratory, the sensor at the entrance of thelaboratory starts to receive the BLE transmission. The mobile device iswith range when a predetermined signal strength threshold is met. Thesensor reads the BLE signal and translates it into the ETID. The sensorthen sends the ETID to the BAS. The BAS receives the ETID and separatesit into the UID and CEID. The BAS looks up the employee system accountusing the UID separated from the received ETID. The parameters saved tothe employee system account within the BAS, including Changing TimeInterval, Original Timestamp, UID, and Unique Encryption Key, are usedto synthesize a CEID with the same algorithm used by the mobile app. TheBAS compares the synthesized CEID to the one received from the mobiledevice (via BLE and the sensor). If the CEIDs match, the entrance isunlocked and open for the employee automatically; and the employeereceives a notification for successful admission. If the CEIDs do notmatch, the entrance keeps locked and closed, and the employee receives anotification for denial.

Such an employee access authorization system provides security andconvenience for employee access, especially when an employee approachesto an entrance to his department with his hands full. The employee doesnot have to try to free up his hands for keying in a password or swipinga card or tapping a card in order to unlock and open the door, as alongas the mobile application described in the present invention is turnedon, the entrance is unlocked and open automatically once the employeegets to the proximity of the entrance and his identification is verifiedby the system as described above.

User Case 4: Loyalty Identification Recognition

In one embodiment, the present invention is used for presenting loyaltyidentification and making payment at a retail store. For example, agrocery store has its mobile application and the location-basedautomated authorization function is incorporated into the grocery storemobile app. A BAS is set up with specific data requirements forrecognizing loyalty identification and making payment. At least onepoint of sale (POS) station is calibrated to receive BLE signals andconnected to the BAS in network communication. Customers in the storeloyalty program download the store app to their mobile devices and enterall required information. For example, customer names, phone numbers,member identification numbers, bank account information, billingaddresses, and other associated information. Changing Time Interval,Original Timestamp, UID, Unique Encryption Key are automaticallygenerated and saved to corresponding loyalty system accounts.

A loyalty member turns on the store app on his mobile device. The storeapp generates a CEID using a secure algorithm and combines the CEID withthe user's UID to generate an ETID. The ETID is packaged and broadcastvia a BLE signal. The BLE signal is continuous, but the ETID changesbased on the defined Changing Time Interval. As the loyalty member scansitems in the cart at a POS station, the POS station starts to receivethe BLE transmission. The mobile device is within range when apredetermined signal strength threshold is met. The POS station readsthe BLE signal and translates it into the ETID. The POS station thensends the ETID to the BAS. The BAS receives the ETID and separates intothe UID and CEID. The BAS looks up the loyalty system account using theUID separated from the received ETID. Parameters saved to the loyaltysystem account within the BAS, including Changing Time Interval,Original Timestamp, UID, and Unique Encryption Key, are used tosynthesize a CEID with the same algorithm used by the store app. The BAScompares the synthesized CEID to the one received from the mobile device(via BLE and the point of sale station). If the CEIDs match, loyaltypoints and/or discounts are applied, the loyalty member's credit card orbank account is charged and a receipt is generated and sent to theloyalty member's store app automatically when the customer is ready tocheck out. If the CEIDs do not match, the customer is asked to provideother types of payment to check out.

Customers do not have to carry their credit cards and debit cards andmembership cards and coupons and other physical payment mediums in aphysical wallet when they shop in a store. A store app integrated withthe location-based automatic authentication in the present inventionenables a secure and convenient mobile payment for in-store shopping.

Certain modifications and improvements will occur to those skilled inthe art upon a reading of the foregoing description. The above-mentionedexamples are provided to serve the purpose of clarifying the aspects ofthe invention and it will be apparent to one skilled in the art thatthey do not serve to limit the scope of the invention. All modificationsand improvements have been deleted herein for the sake of concisenessand readability but are properly within the scope of the presentinvention.

The invention claimed is:
 1. A system for location-based authentication,comprising: an application on a mobile device, a sensor, and a backendplatform; wherein the application on the mobile device is operable tocause the mobile device to construct a Bluetooth Low Energy (BLE) signalthrough: constructing a changing identifier; combining the changingidentifier with a unique identifier to form a transitory identifier; andpackaging the transitory identifier into the BLE signal; wherein themobile device is operable to transmit the BLE signal comprising thetransitory identifier; wherein the sensor is operable to receive the BLEsignal and transmit the transitory identifier comprised in the BLEsignal to the backend platform; wherein the backend platform is operableto: extract the changing identifier and the unique identifier from thereceived transitory identifier; retrieve user identification parametersbased on the unique identifier; construct a second changing identifierbased on the user identification parameters; and validate a useridentification by comparing the second changing identifier and theextracted changing identifier.
 2. The system of claim 1, wherein themobile device is further operable to increase or decrease a transmissionrate for transmitting the BLE signal based on a determined idleness ofthe mobile device.
 3. The system of claim 1, wherein the mobile devicetransmits the BLE signal comprising the transitory identifier at a rateof between about 7 Hz and about 13 Hz.
 4. The system of claim 1, whereinthe mobile device is further operable to automatically activate the BLEadvertising mode upon detecting that a measured or approximated speed ofthe mobile device is above a threshold, that the mobile device islocated within a vehicle, or that the mobile device is within apredetermined distance of the vehicle.
 5. The system of claim 1, whereina transmission rate of the BLE signal is dependent upon a CentralProcessing Unit (CPU) activity of the mobile device.
 6. The system ofclaim 1, wherein a BLE connection is never established between themobile device and the sensor and a BLE connection is never establishedbetween the mobile device and the backend platform.
 7. The system ofclaim 1, wherein the mobile device utilizes a highest availabletransmission rate setting for BLE transmissions.
 8. The system of claim1, wherein the changing identifier is encrypted.
 9. The system of claim1, wherein the changing identifier is based on an original accounttimestamp, a changing time interval, and/or a current timestamp.
 10. Thesystem of claim 1, wherein the changing identifier changes based on achanging time interval.
 11. A method for location-based authentication,comprising: an application on a mobile device causing the mobile deviceto construct a transitory identifier from a changing identifier and aunique identifier; the mobile device packaging the transitory identifierinto a Bluetooth Low Energy (BLE) signal; the mobile device transmittingthe BLE signal; a sensor receiving the BLE signal; the sensorcommunicating the transitory identifier comprised in the BLE signal to abackend platform via network communication; the backend platformreceiving the transitory identifier; the backend platform extracting thechanging identifier and the unique identifier from the receivedtransitory identifier; the backend platform retrieving useridentification parameters based on the unique identifier andconstructing a second changing identifier; and the backend platformvalidating a user identification by comparing the second changingidentifier and the extracted changing identifier.
 12. The method ofclaim 11, further comprising the mobile device increasing or decreasinga transmission rate for transmitting the BLE signal based on adetermined idleness of the mobile device.
 13. The method of claim 11,wherein the mobile device transmits the BLE signal comprising thetransitory identifier at a rate of between about 7 Hz and about 13 Hz.14. The method of claim 11, wherein the changing identifier isencrypted.
 15. The method of claim 11, wherein the changing identifieris based on an original account timestamp, a changing time interval,and/or a current timestamp.
 16. The method of claim 11, wherein thechanging identifier changes based on a changing time interval.
 17. Asystem for location-based authentication, comprising: an application ona mobile device, a sensor, and a backend platform; wherein the mobiledevice is operable to transmit a Bluetooth Low Energy (BLE) signalcomprising an encrypted transitory identifier; wherein the sensor isoperable to receive the BLE signal from the mobile device and transmitthe encrypted transitory identifier comprised in the BLE signal to thebackend platform; wherein the backend platform is operable to extract aunique identifier and a changing encrypted identifier from the receivedencrypted transitory identifier, generate a second changing encryptedidentifier based on user identification parameters associated with theextracted unique identifier, and validate a user identification bycomparing the generated second changing encrypted identifier and theextracted changing encrypted identifier; and wherein the mobile devicetransmits the BLE signal comprising the encrypted transitory identifierat a rate of between about 7 Hz and about 13 Hz.
 18. The system of claim17, wherein the mobile device is further operable to increase ordecrease a transmission rate for transmitting the BLE signal based on adetermined idleness of the mobile device.
 19. The system of claim 17,wherein the mobile device is further operable to automatically activatethe BLE advertising mode upon detecting that a measured or approximatedspeed of the mobile device is above a threshold, that the mobile deviceis located within a vehicle, or that the mobile device is within apredetermined distance of the vehicle.
 20. The system of claim 17,wherein a transmission rate of the BLE signal is dependent upon aCentral Processing Unit (CPU) activity of the mobile device.